Base64 encoding explained

5 min read

If you’ve worked with the web for any length of time, you’ve seen it: a long, seemingly random string of letters, digits, plus signs and slashes, maybe ending in one or two equals signs. That’s Base64, and once you know what it’s for, it stops looking mysterious.

The problem Base64 solves

Computers store everything — images, files, encryption keys — as raw bytes, and many of those byte values don’t correspond to printable characters. That’s a problem when you need to send binary data through a channel built for plain text: an email body, a URL, a JSON field, an HTML attribute. Put raw bytes there and they get corrupted. Base64 is the fix. It re-expresses arbitrary binary data using just 64 safe, printable characters (A–Z, a–z, 0–9, plus + and /) that survive being passed around as text.

How it works, briefly

Base64 takes the input three bytes (24 bits) at a time and splits those 24 bits into four groups of six. Each six-bit group indexes into the 64-character alphabet, producing four output characters for every three input bytes. When the input length isn’t a multiple of three, the output is padded with one or two = signs — which is why so many Base64 strings end that way. Because four characters encode three bytes, Base64 output is about 33% larger than the original data. That size overhead is the price of text-safety.

Where you’ll encounter it

  • Data URIs — small images embedded directly in HTML or CSS as data:image/png;base64,… (try the Image to Base64 tool).
  • JWTs — the header and payload of a JSON Web Token are Base64url-encoded.
  • Email attachments — MIME encodes binary attachments as Base64 so they travel as text.
  • API responses and config — binary blobs, certificates and keys are often stored or transmitted Base64-encoded.

The crucial misconception: it is not encryption

This is the mistake to avoid. Base64 is an encoding, not encryption. There’s no key and no secret — anyone can decode a Base64 string back to the original in an instant, which is exactly what our Base64 encoder/decoder does. It offers zero security. Never use Base64 to “hide” a password, token or any sensitive value; if something needs to be secret, it needs real encryption. Base64 only makes data safe to transport, not safe to expose.

Base64 vs. URL encoding

They’re often confused because both make data safe for text-based channels, but they solve different problems. Base64 turns binary into printable text. URL encoding (percent-encoding) escapes individual characters that have special meaning in a URL, like spaces and ampersands, so a value can sit safely in a query string. There’s even a “Base64url” variant that swaps the + and / characters for URL-safe ones — which is what JWTs use.

That’s the whole idea: Base64 is a reversible way to carry binary data through text-only pipes. Useful and everywhere — just never mistaken for a lock.

Tools in this guide